Try to find the program file with the find command, I guess it must be somwhere in /var/www or /tmp (not in /usr or other system directories). This is most likely a hcked or trojan script that uses the name of a common Linux application (klogd) to hide itself. But the real klogd would never run as www-data, so this fake program must be somewhere in one of your sites or in the tmp folder.

if it is malware then there is some kind of vulnerability to let it get uploaded and started. When you restart the process is not run on startup but the vulnerability is still there. It might be exploited again when the "hacker" realizes it is not running anymore.

Do you have suexec enabled in all websites as recommended? When suexec is on, then the scripts of each website run under the user of the website so that you can locate the website which causes the issues by the username of the user that runs the script.